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Abstract 

Recently, a colour image encryption algorithm based on chaos was proposed by cascading two position permutation oper- 
ations and one substitution operation, which are all determined by some pseudo-random number sequences generated by 
iterating the Logistic map. This paper evaluates the security level of the encryption algorithm and finds that the position 
permutation-only part and the substitution part can be separately broken with only f(log2(3MA^))/8] and 2 chosen plain- 
images, respectively, where MN is the size of the plain-image. Concise theoretical analyses are provided to support the 
chosen-plaintext attack, which are verified by experimental results also. 
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1. Introduction 

Security of multimedia data (image, video, au- 
dio/speech) become more and more important as it is trans- 
mitted over all kinds of wired/wireless networks more 
and more frequently. Both design and security analysis 
of multimedia encryption algorithms have been received 
keen attention of the related researchers in the past decade 
lil I2I Ij, |4J, ISD . Due to the subtle similarity between some 
dynamical properties of chaos, like sensitivity to changes 
of initial condition and control parameter of chaotic sys- 
tems, and the basic properties of cryptography, diffusion 
and confusion, chaos was considered as a special vvay to 
design secure and efficient encryption algorithm laLZllsl]. 
As image data is a representative form of multimedia data, 
and it helps to show the claimed good performances of the 
proposed encryption algorithms, most chaos-based encryp- 
tion algorithms adopt image data as encryption object. 

According to the record of Web of Science, more than 
four hundred papers on designing chaos-based image en- 
cryption schemes were published between 1997 and 2011 
(inclusive). Meanwhile, no more than one hundred and half 
papers on security analysis of chaos-based image encryp- 
tion schemes were published. Short of scrutiny on the se- 
curity makes many chaos-based image encryption schemes 
are insecure against some conventional attacks, such as 



known/chosen- plai ntext attack and chosen-ciphertext at- 
tack Igl [lOl [ill ll2|]. Some representative chaos-based en- 
cryption algorithms and a general framework evaluating se- 
curity of this class of encryption algorithms were concluded 
in 11311 . In many chaos-based image encryption algorithms, 
a chaos system, composed of one or more chaotic maps, is 
used to generate pseudo-random number sequence (PRNS), 
which is then adopted to determine and control combina- 
tion of some basic encryption functions lll4 Il5ll . In dig- 
ital domain, finite precision computation and quantization 
process make some dynamical properties of chaos system 
be degenerated in some form, which may cause potential 
threat to security of the chaos-based encryption algorithms 
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The present paper analyzes the security of the image 
encryption algorithms proposed in lll7ll and finds that the 
three basic encryption operations of the algorithm are all 
key-bivertible, i.e. the unknown information controlling an 
encryption operation can be derived directly from the in- 
put and its output result. Furthermore, the three encryption 
functions are run independently. So, the position permu- 
tation part and the substitution part of the image encryp- 
tion algorithm under study can be broken separately with 
a few chosen plain-images. Both detailed theoretical anal- 
yses and experimental results are presented to support the 
chosen-plaintext attack. 

The rest of this paper is organized as follows. The 
next section introduces the image encryption algorithm un- 
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der study briefly. Section |3] presents an eflicient chosen- 
plaintext attack on the encryption algorithm with some ex- 
perimental results. The last section concludes the paper 

2. The colour image encryption algorithm under study 

The plaintext of the encryption algorithm under study is 
a RGB colour image of size M xN (heightxwidth), which 
can be represented as a MxA^x 3 matrix of pixel values / - 
{I(iJ,k)f^oj=oI=o = {(R{i,j),G(i,j),B(iJ))fs^^:^^-'. Sim- 
ilarly, the corresponding cipher-image is denoted by /' = 

Then, the colour image encryption algorithm under study 
can be described as followo 



The secret key is composed of two positive integers 
OTi, 1112, and two sets of initial condition and control 
parameter of the logistic map 



f(x) ^ jj. ■ X ■ (I - x). 



(1) 



(jccjuo), (xl,l^l), where xo,x'^ E (0,1), and ;Uo,/^5 e 
(3.5699456,4). 

The initialization procedure: 

(1) Iterate the logistical map ([TJ m^ times from initial 
condition xq to obtain a new initial condition under 
fixed control parameter fiQ. Then, further iterate it 3M 
times to get a chaotic states sequence {X/)^J^"'. Fi- 
nally, a permutation sequence (r/)^^"' is derived by 
comparing {X/);^^"' and its sorted version, where Xt, 
is the l-th largest element in the sequence {Xi]^^^^\ 

(2) Iterate the logistical map ([TJ m2 times from ini- 
tial condition x^ to obtain a new initial condition un- 
der fixed control parameter fi'^. Then, further iterate it 
3MN times to get a chaotic states sequence {X^]^^^^^ ■ 
For / - ~ M - 1, obtain another permutation se- 
quence {r*,};^^-' by comparing {^5,;v+,)^i^"' and its 
sorted version, where X^^^j.. is the l-th largest ele- 



(3^-1 
3i7V+/JZ=0 ■ 



ments in sequence {X: 

(3) Generate a PRNS {Yi}]^^^-^ from the sequence 



1=0 
14 I 



f^nto via Yi = L^; ■ lO'^J mod 3, where 



(fl mod b) - a -b ■ \_alb\ 



when b ^ 0. 



(4) To make the numbers of the three different ele- 
ments in {Yi}^^^^^ are all equal to MN, update the last 



' To make the presentation more concise and complete, some notations 
in the original paper 11711 are modified under the condition that essential 
form of the encryption algorithm is kept unchanged. 



Yi 



3MN - 1 elements as foflows: for / = 1 ~ 3MN - 1, 
set 

1, if Yi = 0, «o > MN and ni < MN, 

2, if Yi = 0, «o > MN and ni > MN, 
2, if y, = 1, «i > MN and «2 < MN, 
0, if 7/ = 1, «i > MN and «2 > MN, 

0, if Yi = 2, n2 > MN and «o < MN, 

1 , if 7/ = 2, n2 > MN and «o > MN, 

where «o, ni, ^2 represent the number of 0, 1, 2 in 
{y,)|^Q, respectively. 

(5) Generate another PRNS {Z/ 



quence {Xp 



\3MN-l 
7=0 



\3MN-l 
'1=0. 



from the se- 



viaZ, = L^; ■ 10'^Jmod256. 



The encryption procedure is a simple concatenation of 
the following three encryption operations. 

{!) Row permutation: for/ = ~ M-l, y = ~ A^-1, 
;t = ~ 2, set 

ni,j,k)^I(i\j,k*), 



where /* = TkM+i mod M, k* - 

(2) Column permutation: for / 
A?- l,/t = 0~2, set 



LrtM+,7Mj. 

= ~ M - 1, ;■ 



r{i,j,k) = ni,r,k"), 



where /* 

(3) Substitution: First, let 



^aiV+y-modMr* 



in^.j/Ni- 



/'(0, 0, Yo) = (/"(0, 0, Yo) + Zo) mod 256. (2) 

Then, one pixel is selected iteratively from the other 
un-encrypted pixels of the intermediate image /** - 
{l*\i,j,k)]f:f,'fo^l'^o according to a PRNS [Y,]]^,''-\ 
determining which channel's pixel is chosen. The se- 
lected pixels are encrypted by the previous selected 
pixel, the corresponding cipher-pixel and a pseudo- 
random number as follows: calculate 



ni,j,k)^{r{i,j,k) + r(i',f,k') 

+ I' (i',j',k') + Zi) mod 256 (3) 

for / = 1 ~ 3MN - 1, where 

/ - \jiklN\, j - nk mod N, k - Yi, 
i' - [nk'/N], f - nit' mod N, k' = Yi^i, 

nit and n^- represent the number of k and k' in {i'rl'^Q 
and [Yi]'^Zq, respectively. 



The decryption procedure is similar to the encryption 
one except the following points: (1) the above en- 
cryption operations are run in a reverse order; (2) the 
permutation sequences are replaced by their invertible 
versions; (3) equation (|2]i and Eq. (O are replaced by 



/"(0, 0, Fo) = (/'(0, 0, Yq) - Zo) mod 256 



and 



r(i,j,k)^(i'(ij,k)-r(i'j',k') 

-I'(i',j',k')-Z,) mod 256, 
respectively. 

3. Chosen-plaintext attack 



In lllTl Sec. 3.2.6], it is claimed that the image encryption 
algorithm under study is robust against chosen-plaintext at- 
tack based on the following two points; (a) the used PRNSs 
are all sensitive to changes of secret key; (b) the substitu- 
tion function ^ owns a feed-back mechanism. However, 
we will show that the claim is not right in this section. As 
the image encryption algorithm under study is composed of 
three independent encryption operations, the position per- 
mutation part and the substitution part can be broken sepa- 
rately with a strategy of Divide and Conquer. 

As for plain-images of fixed value, both the Row permu- 
tation and the Column permutation are canceled and only 
the Substitution is left. Assume two chosen plain-images of 
fixed value I[ = {Ii{i,j,k) = di], Ii - {l2{i,j,k) = di] are 
available. From Eq. ^, one has 



/; (0,0, Yq) = (/i (0, 0, Fo) + Zo) mod 256 (4) 



and 



4(0, 0, Yq) = (/2(0, 0, Yq) + Zo) mod 256. (5) 

Subtract Eq. (|5]l from Eq. (|4), one has 

(/;(0, 0, Fo) - /2(0> 0, Yq)) e{D,D- 256, D + 256), (6) 

where D - d\ - d2- Referring to Eq. ^, one has 

I[{i,j,k)^(Ii(iJ,k) + Ii(i',f,k') 

+ I[(i',j',k')+Zi) mod 256, (7) 

I'2(i,j,k)^(l2(i,j,k) + l2(i',j',k') 

+ I'2(i',j',k')+Zi) mod 256 (8) 

for Z = 1 ~ 3MN - 1, where (i,j,k) and {i',j',k') are de- 
termined by {FrlJ^o ^^'^ {^'!'=o respectively, as the above 
section. Subtract Eq. dS) from Eq. (jT), one has 

(/; -I'2)(i, j, k) = (2D + {I[ -/0(/', /, k')) (mod 256) (9) 



where (/; - m,j,k) = I[{i,j,k) - I'^(i,j,k), and (I[ - 
r^)(i',i',k') = I[(i',i',k') - r^(i',i',k'), the same here- 
inafter. 

Then, a property of (/J - /j) can be presented as follows. 

Property 1. Difference between the cipher-images of /] 
and I2 satisfies that 



(/; - I'2){i, j, Yi) = {{21 + 1)D) (mod 256) 



(10) 



fori ^ ~ 3MN - 1, where (/, ;) = (0, 0) when I = 0, 
{i, j) - (L(«F/ + 1)/-^J. («y, + 1) mod A^) otherwise, and ny, 
denotes the number of the elements in {F,)J^q, whose values 
are equal to Yi. 

Proof. This property can be proved via mathematical in- 
duction on /. When / = 0, one can get 

(/; - /2)(0, 0, Yq) = D (mod 256) 

from Eq. (|6]l, which means Eq. ( fTOl i holds for / - 0. Assume 
Eq. ([Toll holds for / = f, i.e., 

(/; - /0(/, ;, Y,) = {{21* + l)D) (mod 256) 

where /* < 3MN - 1 . Then, let us study the case for / = 
(f + I). From Eq. (|9]i, one has 

(/; - /0(/, ;, Y,^i) = {2D + (/; - /^)(/, ;, Y,. )) (mod 256) 
= {{2{l* + l)-^■ 1)D) (mod 256). 

This completes the mathematical induction, hence finishes 
the proof of the property. D 



Utilizing Property 1, one can get the estimated version of 



Yo, 



Fo = 



if (/; - /^)(0, 0, 0) s D (mod 256), 

1 if(/; -4)(0,0, 1) = £) (mod 256), (11) 

2 if (/; - /;)(0, 0, 2) = D (mod 256), 



when D + 128. Obviously, one can assure Yq - Yq defi- 
nitely when 

#({/t|(/;-/2)(0,0,/t) = D (mod 256)1) = 1, (12) 

where #(■) denotes the cardinaUty of a set. Once the value 
of Yq is determined, the estimated values of {F/}^*['*'"', 
jy^ jSMW-i ^ can be obtained in order with the similar method, 
namely set 

y, = ^ if (/; - /^)(/,, ;,, k) = {{21 + l)D) (mod 256) 

for Z = 1 ~ 3MN - 1, where i,, = [("a + 1)/A^J,Ja = 
(«t -I- 1 ) mod N, and nk represents the number of k in {Y,]'^Zq 



Referring to III8I Sec. 5.4], one can get period of the 
sequence {(2/* + 1)£)) mod 256)3^^-', T = .-Jfoase) = 
cd m\56) ■ ^° '^^^P estimate success probability of this at- 
tack, we give another property of (/J - /^ as follows. 



Property 2. Inequality 

# {[k I (/; - I'^){k, jk, k) = ((21* + 1)D) (mod 256)}) > 1 

holds if and only if 

Y,.^s i lY,]l)r\ (13) 

where (S mod T) - 0, ik - [(ni; + 1)/Ni, ju - (nj + 1) mod 
A^, and n^ represents the number ofk in {Yt}\^^ 



The upper bound probability Prob(MN) is a strictly 
increasing function with respect to MN; 



/•-I 
• 



Proof. Assume, for the purpose of contradiction, that cer- 
tain r satisfies K/.+s i {i';}Jl).'^"' and such that 

#({k I (/; - I'2)(ikJk,k) = ((ir + l)D) (mod 256)}) = 1. 

From Property 1 and the hypothesis, one has 

(21* + 1)D + (2(1* +S) + 1)D (mod 256), 

which leads to 

^ 25D (mod 256). 

Then, one has 

(S mod T) = S mod 



128 



gcd(D,256) 

2D ■ 128 
(2SD) mod 



gcd(D,256) 



= (25£))mod|256 

^0, 



D 



gcd(D,256) 



thereby contradicting with the given condition. So, the 
property is proved. D 

Assume that Yi uniformly distributes over (0,1,2) for 
/ = ~ 3MN - 1, one can calculate the probability that 
condition ([13] ) in Property 2 hold for a given l* and T, 

Prob[Y,.st{YCr]-[[lf-\\ 

where A: e {I,-- ,12MN/Ti}. Then, an upper bound of the 
probability that condition (fTST i hold can be got as 

Prob(MN) ^ 2^^^^ (3MN-kT)\i-\ •- . 

When T = 128, one can calculate Prob(2212 ■ 1704) ^ 
1 .1 173 • 10"'* for a relatively big plain-image of size 2272 x 
1704. As for plain-images of smaller size, one can assure 
that the success probability of this attack is much bigger 
than (1 - 1.12 • 10 '*) due to that the following points hold 
at the same time. 



Even Eq. ( fT3l l holds, Y^ - Y^ would still happen with 
iori- 

2 ui 3, 



probability 5 or i; 



• The value of Prob(MN) is calculated by summarizing 
the probability of some cases that may happen simul- 
taneously. 

Based on the above analysis, one can conclude that break- 
ing of the Substitution part can be implemented success- 
fully with an extremely high probability. 

Once the equivalent secret key determining Substitution 
is recovered, the image encryption algorithm under study 
becomes a position permutation-only gray-scale image en- 
cryption algorithm composing of the Row permutation and 
the Column permutation. Considering the number of possi- 
ble positions of every plain-pixel is 3MN, the bit length of 
each element of chosen plaintext should be [log2(3MA^)] to 
assure that every permuted elements are different from each 
other As bit size of every channel of plain-image is fixed 
to 8, only [(log,(3MA^))/8] pairs of chosen plain-images 
are required to recover the equivalent version of {7";}^^^"' 
and [T* /} i^^i |'^^^ . Referring to quantitative cryptanaly- 
sis of permutation-only encryption algorithms in 119. 2011 . 
the complexity of breaking the position permutation part is 
only 0(3MN). 

To validate the performance of the proposed attack, a 
great number of experiments on some plain-images of size 
512 X 512 were made with some randomly selected secret 
keys. Whenjuo = 4.0, xq = 0.123456789764, mi = 1000, 
pI = 3.999999, x*^ = 0.567891234567 and mz = 2000, two 
chosen plain-images of fixed pixel value 127 and 0, shown 
in Fig.[T^) and b) respectively, are used to recover the PRNS 
{y^)3MiV-i rpj^gjj^ r(log2(3 X 2^ • 2^))/81 = 3 pairs of cho- 
sen plain-image are constructed to recover the equivalent 
secret of the position permutation-only part. Finally, the 
equivalent versions of the sub-keys controlling two main 
encryption parts are used together to break a cipher-image 
encrypted with the same secret key, which is shown in 
Fig. [T]:). The decryption result is shown in Fig. [T]J) and 
it is identical with the original plain-image, which verifies 
the effectiveness of the proposed attack. 

4. Conclusion 

This paper studied the security of a novel colour image 
encryption algorithm based on chaos proposed in lll7ll . It 
is found that the encryption algorithm can be broken with 
chosen-plaintext attack efficiently. The number of required 
chosen plain-images and complexity of the attacking are 




Figure 1: Chosen-plaintext attack: a) tlie cliosen plain-image of fixed 
value 127; b) the chosen plain-image of fixed value 0; c) the cipher- 
image of plain-image "Baboon"; d) the recovered plain-image of the im- 
age shown in Fig.[T];). 



proportional to a logarithm of size of plain-images and the 
size, respectively. As a conclusion, the image encryption 
algorithm under study is not suggested in serious applica- 
tions requiring a high level of security. 
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